Resources

OpenEMR Cross-Site Scripting Vulnerability

,

January 13, 2020

|

1

min read

Vulnerability

Purplemet Lab team discovered a cross-site scripting (XSS) vulnerability in OpenEMR before 5.0.1 Patch 6 (CVE-2018-18035). These versions embed a third party component named FlashCanvas which provides flashcanvas.swf, a Flash file vulnerable to a cross-site scripting.

Solution

Update to OpenEMR 5.0.1 Patch 6 or latest version.

Proof of concept

The vulnerability can be triggered using the following URL:


                               http://ip/openemr/portal/sign/assets/flashcanvas.swf?id=12345678\%22));}catch(e){alert(document.domain)}//
                           

Reference

See OpenEMR 5.0.1 Patch (9/9/18) release.

Purplemet technology detection

Purplemet detects OpenEMR with version and CVE.

Purplemet detection of OpenEMR
Purplemet identification of OpenEMR CVE

Continue reading

Product Updates

Purplemet Cloud 1.14.0 New Features

,

October 7, 2022

|

5

min read

Product Updates

Flash End-of-Life and Your Web Applications

,

August 25, 2020

|

6

min read

Product Updates

Purplemet Cloud 1.23.0 New Features

,

September 9, 2024

|

6

min read

Join 100+ Organizations and Secure Your Web Attack Surface with Purplemet

Purplemet
Schedule a Demo
Get Free Security Assessment